Merge pull request #5105 from JLLeitschuh/feat/JLL/depricated_bintray_usage

CWE-1104: Maven POM dependence upon Bintray/JCenter

java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.qhelp

@@ -0,0 +1,45 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p><a href="https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/">Bintray and JCenter are shutting down on February 1st, 2022</a>.
+Relying upon repositories that are deprecated or scheduled to be shutdown can have unintended consequences;
+for example, artifacts being resolved from a different artifact server or a total failure of the CI build.</p>
+
+<p>When artifact repositories are left unmaintained for a long period of time, vulnerabilities may emerge.
+Theoretically, this could allow attackers to inject malicious code into the artifacts that you are resolving and infect build artifacts
+that are being produced. This can be used by attackers to perform a
+<a href="https://en.wikipedia.org/wiki/Supply_chain_attack">supply chain attack</a>
+against your project's users.
+</p>
+
+</overview>
+<recommendation>
+
+<p>Always use the canonical repository for resolving your dependencies.</p>
+
+</recommendation>
+
+<example>
+
+<p>The following example shows locations in a Maven POM file where artifact repository upload/download is configured.
+The use of Bintray in any of these locations is not advised.
+</p>
+
+<sample src="bad-bintray-pom.xml" />
+
+</example>
+<references>
+<li>
+  JFrog blog:
+  <a href="https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/">
+    Into the Sunset on May 1st: Bintray, JCenter, GoCenter, and ChartCenter
+  </a>
+</li>
+
+<!--  LocalWords:  CWE maven dependencies artifact jcenter bintray
+ -->
+
+</references>
+</qhelp>

java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Depending upon JCenter/Bintray as an artifact repository
+ * @description Using a deprecated artifact repository may eventually give attackers access for a supply chain attack.
+ * @kind problem
+ * @problem.severity error
+ * @precision very-high
+ * @id java/maven/dependency-upon-bintray
+ * @tags security
+ *       external/cwe/cwe-1104
+ */
+
+import java
+import semmle.code.xml.MavenPom
+
+predicate isBintrayRepositoryUsage(DeclaredRepository repository) {
+  repository.getUrl().matches("%.bintray.com%")
+}
+
+from DeclaredRepository repository
+where isBintrayRepositoryUsage(repository)
+select repository,
+  "Downloading or uploading artifacts to deprecated repository " + repository.getUrl()

java/ql/src/Security/CWE/CWE-1104/bad-bintray-pom.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Bintray Usage</name>
+    <description>An example of using bintray to download and upload dependencies</description>
+
+    <distributionManagement>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+        <snapshotRepository>
+            <id>jcenter-snapshots</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+    </repositories>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use Bintray -->
+            <url>https://dl.bintray.com/groovy/maven</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>jcenter-plugins</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>

java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql

@@ -15,22 +15,12 @@
 import java
 import semmle.code.xml.MavenPom
 
-private class DeclaredRepository extends PomElement {
-  DeclaredRepository() {
-    this.getName() = "repository" or
-    this.getName() = "snapshotRepository" or
-    this.getName() = "pluginRepository"
-  }
-
-  string getUrl() { result = getAChild("url").(PomElement).getValue() }
-
-  predicate isInsecureRepositoryUsage() {
-    getUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*")
-  }
+predicate isInsecureRepositoryUsage(DeclaredRepository repository) {
+  repository.getUrl().regexpMatch("(?i)^(http|ftp)://(?!localhost[:/]).*")
 }
 
 from DeclaredRepository repository
-where repository.isInsecureRepositoryUsage()
+where isInsecureRepositoryUsage(repository)
 select repository,
   "Downloading or uploading artifacts over insecure protocol (eg. http or ftp) to/from repository " +
     repository.getUrl()

java/ql/src/semmle/code/xml/MavenPom.qll

@@ -368,6 +368,19 @@ class PomProperty extends PomElement {
   PomProperty() { getParent() instanceof PomProperties }
 }
 
+/**
+ * An XML element representing any kind of repository declared inside of a Maven POM XML file.
+ */
+class DeclaredRepository extends PomElement {
+  DeclaredRepository() { this.getName() = ["repository", "snapshotRepository", "pluginRepository"] }
+
+  /**
+   * Gets the url for this repository. If the `url` tag is present, this will
+   * be the string contents of that tag.
+   */
+  string getUrl() { result = getAChild("url").(PomElement).getValue() }
+}
+
 /**
  * A folder that represents a local Maven repository using the standard layout. Any folder called
  * "repository" with a parent name ".m2" is considered to be a Maven repository.

java/ql/test/query-tests/security/CWE-1104/semmle/tests/A.java

@@ -0,0 +1,2 @@
+public class A {
+}

java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.expected

@@ -0,0 +1,5 @@
+| bad-bintray-pom.xml:17:9:22:22 | repository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:23:9:28:30 | snapshotRepository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:31:9:36:22 | repository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com |
+| bad-bintray-pom.xml:39:9:44:22 | repository | Downloading or uploading artifacts to deprecated repository https://dl.bintray.com/groovy/maven |
+| bad-bintray-pom.xml:47:9:52:28 | pluginRepository | Downloading or uploading artifacts to deprecated repository https://jcenter.bintray.com |

java/ql/test/query-tests/security/CWE-1104/semmle/tests/MavenPomDependsOnBintray.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql

java/ql/test/query-tests/security/CWE-1104/semmle/tests/bad-bintray-pom.xml

@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.semmle</groupId>
+    <artifactId>parent</artifactId>
+    <version>1.0</version>
+    <packaging>pom</packaging>
+
+    <name>Bintray Usage Testing</name>
+    <description>An example of using bintray as a repository</description>
+
+    <distributionManagement>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+        <snapshotRepository>
+            <id>jcenter-snapshots</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </snapshotRepository>
+    </distributionManagement>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </repository>
+    </repositories>
+    <repositories>
+        <repository>
+            <id>jcenter</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use Bintray -->
+            <url>https://dl.bintray.com/groovy/maven</url>
+        </repository>
+    </repositories>
+    <pluginRepositories>
+        <pluginRepository>
+            <id>jcenter-plugins</id>
+            <name>JCenter</name>
+            <!-- BAD! Don't use JCenter -->
+            <url>https://jcenter.bintray.com</url>
+        </pluginRepository>
+    </pluginRepositories>
+</project>